Hello Jingnan Xu,
We checked with internal team on this parameter which is used to set the Entra ID (Azure AD) groups that will have Cluster Admin Kubernetes RBAC automatically applied within the cluster. This should not be the cluster’s principal ID, but instead one or more groups that administer the cluster.
It maps to this field in the UX, You can find the object ID’s for the respective Entra ID groups either through the Entra ID Portal or via [az ad group show](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fcli%2Fazure%2Fad%2Fgroup%3Fview%3Dazure-cli-latest%23az-ad-group-show&data=05%7C02%7Cv-annimmala%40microsoft.com%7Cc38d5a734b0240d9991208dc00aaded2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638385981217172084%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Q1c9eNWIWE5ZZeHZogr1RaQdmFKKS%2FXcDfVyIT6yRIo%3D&reserved=0"Original URL: https://learn.microsoft.com/en-us/cli/azure/ad/group?view=azure-cli-latest#az-ad-group-show. Click or tap if you trust this link.")
Hope this answer helps you, please like the answer if you are satisfied with the answer.